HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

 Happy Data Privacy Day to all!

• Email This
• Print

In a recent case, the Court of Appeal for Ontario, Canada recognized the privacy torts that are widely-recognized in the United States.  Many foreign common law jurisdictions, including the United Kingdom and other countries, have steadfastly refused to recognize the privacy torts spawned by the 1890 law review article by Samuel Warren and Louis Brandeis, The Right to Privacy,  4 Harv. L. Rev. 193 (1890).  These torts – intrusion upon seclusion, public disclosure of private facts, false light, and appropriation of name or likeness – are known collectively as “invasion of privacy.”  In the case of Jones v. Tsige, 2012 ONCA 42 (Jan. 18, 2012), the Court of Appeal for Ontario finally recognized the US privacy tort of intrusion upon seclusion – intentionally intruding upon a person’s seclusion or solitude, or into his private affairs.

• Email This
• Print

This blog post was provided by Quentin Archer, a partner in the London office of Hogan Lovells

The European Commission today published its proposal for a new Data Protection Regulation. The Regulation, which is not likely to come into force before 2014, is intended to harmonise data protection law in all 27 EU Member States and thus remove current differences which have proved problematic for business and individuals. Upon final passage of the Regulation, the current 1995 Data Protection Directive will be repealed.

• Email This
• Print

Sometimes Fourth Amendment cases (which by definition arise in a governmental context) have implications for consumer privacy law since the "reasonable expectation of privacy" analysis can be employed in both areas.  Yesterday's U.S. Supreme Court 9-0 ruling in United States v. Jones that the warrantless attachment of a GPS device to a car for monitoring purposes violated the Fourth Amendment offers little guidance in the consumer privacy context as the majority of the Court did not rely on an "expectation of privacy" analysis.  The Court's main opinion, written by Justice Scalia, focused on narrow issue of whether there was a trespass when the GPS device was attached to the suspect's car.  Concluding that a trespass occurred, the majority of the Court found that a warrant was required under the Fourth Amendment.  Justice Scalia delivered the opinion of the Court in which Chief Justice Roberts, and Justices Kennedy, Thomas and Sotomayor joined.  Justice Sotomayor wrote her own concurring opinion and Justice Alito filed an opinion concurring in the judgment in which Justices Ginsburg, Breyer and Kagan joined.     

The main opinion of the Court chose not to address the issue of whether the suspect had a reasonable expectation of privacy not to be monitored, which was another available avenue of analysis.  Justice Alito said: "I would analyze the question presented in this case by asking whether respondent's reasonable expectations of privacy were violated by the long-term monitoring of the movements of the vehicle he drove."  And Justice Sotomayor in her concurrence illustrated how far the Court could have gone to address the "reasonable expectation of privacy"  issue:

[I]t may be necessary to reconsider the premise that an individual has no reasonable expectation­ of privacy in information voluntarily disclosed to third parties. (citation omitted). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as Justice Alito notes, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Gov­ernment of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection. Smith, 442 U. S., at 749 (Marshall, J., dissenting) (“Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes”); see also Katz, 389 U. S., at 351–352 (“[W]hat [a person] seeks to preserve as private, even in an area accessible to the public, may be constituttionally­ protected”).

Had the Court engaged in a "reasonable expectation of privacy" analysis, that could have had an impact on the use of tort and consumer protection law to pursue privacy claims.  One could imagine the FTC declaring "unfair" under Section 5 the kind of data use deemed to have violated a reasonable expectation of privacy under the Fourth Amendment.

• Email This
• Print

Despite suggestions that the European Commission proposal for a comprehensive reform of EU data protection rules would be delayed until the Spring, an announcement is scheduled for this Wednesday, January 25 at 12:30 PM CET (6:30 AM EST).  The press conference with Viviane Reding, Vice-President of the European Commission in charge of Justice will be live streamed here.

It appears that the requirement for notice within 24 hours of a data security breach will be part of the proposal despite objections based on experience with the 49 jurisdictional data security laws in the United States that it is often impossible to assess much less notify within such a short time-period.  Also, the potential financial penalty of up to 5% of an entity's global world-wide turnover for violations of the privacy regulation was a subject of enormous controversy when leaked; it now appears that the upper limit of the financial penalty will be 2%, which is still a very significant amount.

In a speech on Saturday to the Digital Life Design conference in Munich, Ms. Reding previewed what the Commission's proposals will include.  (A link to a video of her speech is here.) 

Some excerpts, as reported by the Wall Street Journal Tech Europe blog --  Here, Ms. Reding speaks of the change to a regulation from a directive:

A company will have to comply with one law for the whole of the EU territory. It will only have to deal with one single data protection authority. It will be the data protection authority of the member state in which the company has its main establishment. It will not matter anymore which data protection authority deals with a case. All data protection authorities in whatever EU country will have the same adequate tools and powers to enforce EU-law.

• Email This
• Print

In honor of Data Privacy Day, the National Cyber Security Alliance and Facebook will present a live-streamed program on Thursday, January 26 at 9:30 a.m. ET at the George Washington University Law School. 

"The Intersection of Privacy & Security of Privacy & Security" will feature:

The Honorable Julie Brill, Commissioner, Federal Trade Commission

Rick Buck, Head of Privacy GSI, eBay

Erin Egan, Chief Privacy Officer, Policy, Facebook

David Hoffman, Director of Security Policy and Global Privacy Officer, Intel

Gerard Lewis, Vice President, Deputy General Counsel & Chief Privacy Officer, Comcast

Ari Schwartz.Senior Policy Advisor, Office of the Secretary, U.S. Department of Commerce

JoAnn C. Stonier, Global Privacy & Data Protection Officer, MasterCard Worldwide 

Bob Quinn, Senior Vice President-Federal Regulatory & Chief Privacy Officer, AT&T

Moderator:  Christopher Wolf, Director Hogan Lovells Privacy and Information Management practice; Founder/Co-Chair, Future of Privacy Forum

To RSVP for the event, please click here.

On the day of the event, you can view it live here.

• Email This
• Print

By Pablo Rivas in our Madrid Office

Following the example of the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés or CNIL), the Spanish Data protection Authority (Agencia Española de Protección de Datos or AEPD) has opened a public consultation on cloud computing to learn the opinions and experiencse of service providers and users.

Interested parties have until January 27 to submit their comments. This public consultation is an good opportunity to enhance the AEPD's understanding of problems on data protection arising from cloud computing and may also help the AEPD find viable solutions and alternatives for data protection compliance within the cloud computing encironment.   

Interested parties can participate in the public consultation by fulfilling and online form (in Spanish) accessible by the AEPD's website, www.agpd.es.

We will keep you posted on the conclusions of this public consultation of the AEPD.

• Email This
• Print

The California Attorney General recently launched an on-line form for businesses to report breaches of security. Effective January 1 of this year, any person or business who issues a breach notification to more than 500 California residents as a result of a single breach is required under the California breach law ((California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a)) to submit notice of the breach to the California Attorney General. The form requires businesses to upload a copy of a sample breach notification form and to submit additional information related to the breach, including:

·         The Date of the breach

·         Date notice was provided to affected individuals

·         Type of personal information involved

·         Type of breach

In addition to the on-line reporting form, the new site also includes a section where residents can view a listing of all breaches that have been submitted to the Attorney General’s office.

• Email This
• Print

On January 10, Peter Hustinx, the European Data Protection Supervisor (EDPS), released his annual "Inventory" of issues of strategic importance for 2012, along with an annex of the relevant Commission proposals and other documents that have been recently adopted or otherwise require the attention of the EDPS.  The strategic proposals can be grouped into four main categories:

• Email This
• Print

We are delighted to announce that Tim Tobin, a key player in the Hogan Lovells Privacy and Information Management practice, has become a partner at our firm.

Tim Tobin’s entire professional career, even before law school, has had a privacy law focus. As an early practitioner in the relatively new field of privacy law, Tim has established himself as a "go-to guy" in the entire range of privacy law.  

Tim graduated from the George Mason University School of Law in May 2001 in the top 10% of his class, magna cum laude. Tim attended the evening program at George Mason law, working full time throughout law school. At law school, he was on the Law Review and served as Articles Editor of the Law Review. 

Tim had a professional career prior to, and during law school. He worked at the U.S. Parole Commission within the U.S. Department of Justice, from 1992 to January 2000.  It was in this government job that Tim first became familiar with, and handled privacy issues relating to the Freedom of Information Act (FOIA), the Privacy Act, and similar issues relating to victim privacy and Government records.          

Tim joined Hogan Lovells practice director Chris Wolf at their previous firm, after a stint at a communications law-focused firm, and he assisted in all manner of privacy and data security issues for clients.  At the previous firm,  Tim served as senior editor of a comprehensive legal treatise on privacy law published by the Practising Law Institute (PLI) that has been highly praised.  

Throughout his legal career, Tim has focused on a wide range of privacy and data security law matters. He provides compliance counselling to clients on the wide array of privacy and data security laws, and is deeply experienced in litigation, regulatory agency investigations, agency rulemaking processes, and public policy issues. Tim has worked with clients across a range of industries including those involved with the Internet, new media and communications as well as financial services, airlines, hotel, transportation, sports and entertainment, among many others.

Tim writes and speaks frequently on privacy law topics, including recently at the Los Angeles Auto Show on the topic of new automobile technologies and privacy.  He is the Smart Grid expert for the Future of Privacy Forum, and he leads the firm's pro bono efforts in a new privacy pro bono initiative spearheaded by IBM and the IAPP.

Tim has distinguished himself by his prodigious work ethic, his comprehensive knowledge of privacy law which he translates into thorough and practical advice for clients, and for his strategic insights on contested matters.  He also is known as a really nice guy.

We are delighted to announce his advancement to partner.

• Email This
• Print

Federal Trade Commissioner Julie Brill frequently has commented that when it comes to privacy enforcement, more "cops on the beat" is better.  In today's guest blog, reprinted with permission from the blog of Google's Global Privacy Counsel Peter Fleischer, the spectre of multiple privacy enforcement authorities with substantial fining authority is raised:

When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions! Have we considered using killer snakes to punish data protection violations and to discourage future bad practices?

Since 2012 has now begun, here's a prediction about the future: there's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.

We all think of Data Protection Authorities, and similar bodies, like the Federal Trade Commission, as responsible for enforcing privacy laws. These bodies around the world have vastly different enforcement powers, investigative cultures, and sanctions traditions, even within Europe. Some, like the Spanish DPA, impose a lot of large fines. Others, like the French CNIL, imposed only 5 financial sanctions in an entire year. The largest fine the CNIL has issued in its entire history was 100,000 euros.

And yet others, like the Belgian DPA, don't have the legal power to impose fines at all. Other DPAs hardly ever use sanctions at all, in the classic sense, other than press releases and "name and shame" tactics. Moreover, in recent years, the US Federal Trade Commission has been moving in a different direction, namely negotiating consent decrees that are forward-looking, 20-year commitments for particular companies to abide by certain privacy standards and be subject to regular audits.

But if the plethora of DPAs and their varied enforcement practices were not divergent enough, privacy enforcement is by no means limited to these specialist regulators. In the US, the individual State Attorneys General regularly bring privacy actions. There's also an entire industry of US privacy-based class actions which has sprung up in the last few years.

Moreover, in many countries, privacy laws have been inscribed into the penal codes. Consequently, any criminal prosecutor can bring such privacy penal actions. For example, my prosecution and conviction in Italy for a "privacy violation" was brought by a Milanese public prosecutor and imposed by a criminal judge.

In the future, the proliferation of the numbers of authorities who can bring privacy enforcement actions is likely to increase. First, more and more countries are creating data protection authorities, e.g., roughly a dozen new ones have been created across Latin America and Asia in the last year.

And in Europe, where class actions generally don't exist and don't fit into the existing legal framework, there are now serious proposals to create mechanisms for "collective redress" of privacy claims. And of course, there have always been the normal judicial channels, where anyone can bring privacy claims against someone else if they feel their privacy has been violated. The numbers of such cases is also exploding around the world, especially as more and more data about people is collected, exchanged and published.

I regularly hear people claim that there's not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.

The European Commission has proposed instituting new fines for data protection breaches ranging up to 5% of global turnover! To a global company, that's probably scarier than killer snakes.

(emphasis supplied)

• Email This
• Print

The year was 1974.

Happy new year to the readers of the Hogan Lovells Chronicle of Data Protection!

• Email This
• Print

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

A federal judge dismissed all but one of the claims (PDF) brought against Heartland Payment Systems, a payment card processor, in a class action lawsuit stemming from a breach of Heartland’s computer systems, demonstrating that it may be difficult to hold companies legally responsible for breaches of their data. The plaintiffs of the class action lawsuit, nine financial institutions that issued payment cards to consumers affected by the breach, balked at Heartland’s settlement offers and instead sought relief from the court, alleging breach of contract, negligence, misrepresentation, and violations of several states’ consumer-protection statutes. Only the alleged violation of Florida’s consumer-protection statute survived Heartland’s motion to dismiss, an outcome which may deter future plaintiffs affected by data breaches from rejecting settlement offers to litigate their claims.

• Email This
• Print

We are pleased to invite Bay Area readers of the Hogan Lovells Chronicle of Data Protection to a morning event in Palo Alto on January 12, 2012, "Privacy and Information Management:  A Global Perspective on What Businesses Should Expect in 2012."

Change is in the air for privacy law and regulation worldwide. The privacy practice at Hogan Lovells spans the globe across our 40 offices in the United States, Europe, Latin America, the Middle East, and Asia. This program will reflect the perspectives of the lawyers in our worldwide privacy practice, and will present the viewpoints of U.S. leaders from the Federal Trade Commission, a prominent technology-focused NGO, and academia, as we take a look back at privacy law developments in 2011 and take stock of the expected developments and focus on privacy law in 2012.

The program will feature FTC Commissioner Julie Brill, Jim Dempsey from the Center for Democracy and Technology and Ryan Calo from the Stanford Law School Center for Internet and Society.  It will be moderated by Hogan Lovells Privacy and Information Management practice directors Marcy Wilder and Chris Wolf.

If you would like an invitation to register for this event, please contact justin.portaz@hoganlovells.com

• Email This
• Print